Configure HTTP Header

Last updated: 2020-02-24 10:43:13


Tencent Cloud provides HTTP Header Configuration which allows such features as cross-domain access by adding configured header field in the returned Response message When your user requests for service resource.
If resource is not hit at a node, the request will go back to origin. In this case, the header information returned from origin server will be returned to user altogether; If resource is hit in the cache at a node, CDN will return cached Access-Control-Allow-Origin, Timing-Allow-Origin, Content-Disposition and Accept-Ranges header information of the origin server to the user by default. If you wish to cache all of headers from origin, please submit a ticket and request for manual configuration support;
Since the HTTP Header configuration is for the domain name, once the configuration takes effect, the configured header will be added to the user's response message to any resource under the domain name. Configuring HTTP Header only affects the response behavior of clients, such as browsers, and does not affect the caching behavior of CDN nodes.

Configuration Guide

  1. Log in to the CDN Console And click Domain Name Management On the left sidebar to enter the management page. Find the domain name you want to edit and click Manage In the "Operation" column.
  2. Find it in [Advanced configuration] HTTP Header configuration Module. By default, HTTP Header configuration Is closed.
  3. Click to open HTTP Header Switch to add headers:
    CDN provides the following six common types of header settings, as well as custom header settings:
    Access-Control-Allow-Origin: Specify the request origins allowed to access the resource for a cross-domain request;
    • Access-Control-Allow-Methods: specifies the cross-domain request method that is allowed when a cross-domain request is made.
      Access-Control-Max-Age: Specify the maximum time span during which the returned result of pre-request for a particular resource is cached for a cross-domain request.
      Access-Control-Expose-Headers: Specify the header information allowed for access for a cross-domain request;
    • Content-Disposition: activates the client to download resources and sets the default file name.
    • Content-Language: is used to define the language code used by the page.
    • Custom: custom header.
  4. Suppose the configuration content is: Access-Control-Allow-Origin, sets wildcards * . After confirming the submission, the switch is on, and the configuration information that is in effect is displayed below. Click "modify" to change the configuration information. Click "Delete" to delete the configuration.
  5. Close HTTP Header After the switch, the configuration information below is invalid, that is, the HTTP Header configuration is not enabled. It can be opened manually again.

General Configurations


Content-Disposition is used to activate the download of the browser, and you can set the default download file name. When the server sends a file to the client browser, if it is a file type supported by the browser, such as TXT, JPG and other types, it will be opened directly using the browser by default. If you need to prompt the user to save, you can override the browser default behavior by configuring the Content-Disposition field. Common configurations are as follows:
'Content-Disposition': 'attachment; filename=' filename.jpg',


Content-Language is used to define the language code used in the page. Common configurations are shown below:
'Content-Language': 'zh-cn',
Content-Language: en-US

Cross-domain Configurations

Cross-domain refers to a domain name, such as Under a resource, to another domain name When a request is initiated by a resource under the, it appears because the domain name to which the resource belongs is different. Cross domain Different Protocol and different ports will cause the emergence of cross-domain Access. At this point, the cross-domain configuration must be added to the Response Header in order for the former to get the data successfully.


Access-Control-Allow-Origin is used to solve the cross-domain Permission problem of resources. The domain value defines the domain that allows Access for the resource. If the source request Host is in the domain name configuration list, the corresponding value is directly filled in the return header. You can also set wildcards * Allowed to be requested by all domains

Support up to 10 domain name configurations, one line, each separated by carriage return.

  • Introduction of matching pattern
Match Mode Domain value Description
Full match * Set to * Then return to response-header to add the header: Access-Control-Allow-Origins, and the value is: * .
Fixed matching If the source is If it is hit in the list, the header "Access-Control-Allow-Origins," is added to the response-header and the value is: .
If the source is , which is not hit in the list, so there is no need to add the header: Access-Control-Allow-Origins to the return response-header.
Second-level pan-domain name matching http://* If the source is If the match is made, the header: Access-Control-Allow-Origins, will be added to the response-header and the value is: .
If the source is Does not match, so there is no need to add the header: Access-Control-Allow-Origins to the returned response-header.
Port matching If the source is If the match is made, the header: Access-Control-Allow-Origins, will be added to the response-header and the value is: .
If the source is Does not match, so there is no need to add the header: Access-Control-Allow-Origins to the returned response-header.

If there is a special port, you need to have relevant information about Enter in the list. Any port matching is not supported and must be specified.


Access-Control-Allow-Methods is used to set cross-domain allowed HTTP request methods. Multiple methods can be set at the same time, as follows:
Access-Control-Allow-Methods: POST, GET, OPTIONS


Access-Control-Max-Age specifies the valid time of pre-request.
For a non-simple cross-domain request, you need to add a HTTP query request, called "pre-request", before formal communication, to find out whether the cross-domain request is secure and acceptable. The following request will be regarded as a non-simple cross-domain request:

  • The request is initiated using a method other than GET, HEAD or POST or it is initiated using POST with a data type other than application/x-www-form-urlencoded, multipart/form-data and text/plain, such as application/xml or text/xml;
  • A custom request header is used.

Access-Control-Max-Age is measured in second. Here is a configuration example:
This indicates no more pre-request will be sent for the cross-domain access to this resource within 1728000 seconds (20 days).


Access-Control-Expose-Headers is used to specify which headers can be given to the client as part of the response, Open. By default, only 6 headers can be given to the client by Open:

  • Cache-Control
  • Content-Language
  • Content-Type
  • Expires
  • Last-Modified
  • Pragma

If you want the client Access to get other header information, you can set it as follows. When you enter multiple headers, you need to use the , Separate.
Access-Control-Expose-Headers: Content-Length,X-My-Header
Indicates that the client can get the header information from Access to Content-Length and X-My-Header.

Custom header

  1. Support to add custom Header, users can select "Custom" in the parameter list.
  2. Enter customizes the key-value value.

The following Header additions are not supported:

- Expires
Content - Type
- Content-Encoding
- Cache-Control


When multiple Header are added repeatedly, the bottom priority is higher than the top priority, which is directly covered by the bottom configuration.